Published on

SIM Swapping via Insider

Authors
  • avatar
    Name
    n0sec
    Twitter

'Innys'

So far, I have covered internal company software that is abused against carriers to conduct SIM swaps amongst that of utilizing live chat to conduct SIM swaps. Another common method is using company insiders and nearly every company is vulnerable to an insider thread, even with good user access management. We see insider threats being weaponized constantly, such as the 2020 Twitter hack weaponizing an internal employee who had too much control over the company that allows lateral movement. Except, in this context, the consequence is much greater than Twitter accounts being compromised to be sold and to fool users into giving Bitcoin, millions of dollars are on the line.

'Innys' is the abbreviation for insiders in the context of this article. These can come at different levels, there are general floor employees, managers, district managers, corporate workers, and engineers for most companies. District managers and engineers tend to have high levels of access in user access management models and are typically the target of insider attacks. Insider attacks are conducted many ways, extortion, phishing, and bribery. The most common case for insiders in the context of mobile carriers is bribery ranging to the tens of thousands of dollars, but phishing is also typically involved.

Phishing logins

Just like how when "remo snatching" login credentials for a manager must be ready to access the T-Mobile Tapestry software, login credentials are needed to conduct an insider attack in most circumstances. This is for the security of the insider, if the insider utilizes another employee's login, they may have higher access in the user access management model and greater personal security from being discovered as an insider threat. Phished logins are often given to floor employees who are bribed as insiders for SIM swappers, giving the floor employee access to whatever the phished login may have access to, such as a district manager being able to bypass 'fraudlock victims' (targets who have special security from a carrier). You may wonder, why an insider needed if the fraudster has a district manager login? This is because most carrier's software can only be used inside the store, on store devices, which only an employee would have access to. An insider doesn't have to be a high level employee, it just has to be an employee and the fraudster needs to have a high level login on deck.

The means for phishing logins is fairly straightforward, fraudsters look for contact information of district managers and call stores then request the manager. They manage to trick the manager into accessing their phishing domain and inputting their credentials however they can, typically calling as a corporate staff from the mobile carrier saying that there is a ticket the manager needs to check - which can be accessed at the fraudster's phishing domain.

These high-level logins such as district manager for carriers like Verizon and T-Mobile can be sold for steep prices ranging from 2,000 to 3,000 USD in many markets.

Insider Advantages & Disadvantages

Insiders, because they have access to internal company tools physically, are able to fully access customer's accounts without much restriction. A low level employee would likely have to have the customer receive a one-time passcode to perform a SIM swap, which isn't possible as the customer isn't giving permission to have their SIM swapped, but higher-level employees don't have to worry about this. This business model is hard to sustain, as insiders are very likely to get caught by the company and be fired, along with potential legal prosecution. Even with other employee logins, carriers still manage to track actions done on customer's accounts to the store, likely via the identifier of the device used being associated with the store.

Insiders also typically cost upfront funds and create risk for the fraudster to be scammed. The insider could claim that they will help the fraudster conduct a SIM swap, take the funds, and block the SIM swapper and there is little the SIM swapper can do about this. The SIM swapper can extort the employees, but this may lead the SIM swapper into troubles they don't want to be involved in. It can be difficult to find insiders for SIM swappers, as most digital crime is facilitated online and finding an insider for floor employees, the most susceptible person to be an insider, is hard to do online. Obviously district managers can be found easier through means like LinkedIn and Reddit, but district managers are far less likely to help out a fraudster do their knowledge on the subject. They tend to understand the operational security liability that will be placed upon them.

Conclusion

There is little that a person can do about an insider at a mobile carrier being using to SIM swap a line. Even fraud victims can have their security bypassed by district managers in many cases. This is why I encourage all readers to make use of client-sided 2FA such as Google Authenticator opposed to 2FA via OTP to phone.